[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
Thanks Charles, I've updated our database, it should propagate to the website in a few hours. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
The tracker at http://people.canonical.com/~ubuntu- security/cve/2012/CVE-2012-0206.html lists 12.04, 14.04 and 14.10 as needed. However it looks like it is actually fixed in all of them. The CVE description states before 3.0.1 and 14.04 and 14.10 are newer than 3.01. This is from the changelog in the current 12.04 package. pdns (3.0-1.1) unstable; urgency=high * Non-maintainer upload. * Don't respond to responses fixes CVE-2012-0206 * Make build dependency on mongodb-dev arch specific (Closes: #654568). -- Luk Claes luk@debian Sun, 15 Jan 2012 19:13:17 +0100 And to confirm it I checked and the package and it does contain the patch CVE-2012-0206 in the debian/patches directory. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
This bug was fixed in the package pdns - 2.9.22-9ubuntu2.1 --- pdns (2.9.22-9ubuntu2.1) oneiric-security; urgency=low * SECURITY UPDATE: temporary DoS with specially crafted packets (LP: #918588) - debian/patches/CVE-2012-0206: prevent the auth servers from entering a packet loop. Based on upstream suggestion. - CVE-2012-0206 -- Imre Gergely gi...@narancs.net Wed, 08 Feb 2012 22:54:35 +0200 ** Changed in: pdns (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
Hi Imre - The diffs look good. Thanks! I touched up the Hardy diff a bit. DEP-3 defines how to do dpatch tagging (which I didn't realize before now) and I got rid of the rest of the junk at the top of the patch. I figure that you had some build files laying around when you created the dpatch. The patches have been uploaded and are building. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
** Description changed: Please see http://doc.powerdns.com/powerdns-advisory-2012-01.html - Doesn't appear to be in the Ubuntu CVE tracker - - http://people.canonical.com/~ubuntu-security/cve/ gives a 404 message - for the CVE number http://people.canonical.com/~ubuntu- + Ubuntu CVE tracker - http://people.canonical.com/~ubuntu- security/cve/CVE-2012-0206 Looks like all released versions of Ubuntu are vulnerable; I've not looked at Precise. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
Hi Imre - Thanks for the debdiff! The code changes look fine and passed our build checks. I have a couple small formatting suggestions to follow our normal security update style: 1) Since you recreated the patch based upon changes suggested in the advisory, the patch should follow the DEP-3 patch tagging guidelines: http://dep.debian.net/deps/dep3/ You really just need a Description: tag followed by some descriptive text, along with an Origin: upstream, http://doc.powerdns.com/powerdns- advisory-2012-01.html tag. 2) By using the DEP-3 guidelines, you would then drop the URL from the changelog text and the patch description line would look something like this: - debian/patches/CVE-2012-0206: Short, but meaningful, description here. Based on upstream patch. Note that there is no need to provide a debdiff for the Natty release, as I will do a fake sync from the Debian update (we don't have a delta on that specific package version). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
Attaching the revised debdiff for Precise. ** Patch removed: debdiff vs. pdns_2.9.22-9ubuntu4 https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+attachment/2717328/+files/pdns-precise.debdiff ** Patch added: debdiff vs. pdns_2.9.22-9ubuntu4 https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+attachment/2724543/+files/pdns-precise.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
Attached debdiff for Oneiric. Built and tested the package with the patch, it works. ** Patch added: oneiric debdiff https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+attachment/2724868/+files/pdns-oneiric.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
Attached debdiff for Maverick. Built and tested the package with the patch, it works. ** Patch added: maverick debdiff https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+attachment/2724877/+files/pdns-maverick.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
Attached debdiff for Lucid. Built and tested the package with the patch, it works. ** Patch added: lucid debdiff https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+attachment/2724880/+files/pdns-lucid.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
Also created a debdiff for Hardy. Patch applied without problems, it also solves the problem on Hardy, but the debdiff is rather big, I'm not sure what's all the extra stuff in there. The actual changes are at the end, the rest I have no clue. I did create the 2.9.21-5ubuntu1.2 package on Lucid with debuild. debdiff is done against the last version I found in hardy-security, namely 2.9.21-5ubuntu1.1. Please take a look at this debdiff. The patch is a bit different, it's dpatch-style, but I added description just to be a bit clearer. ** Patch added: hardy debdiff against 2.9.21-5ubuntu1.1 https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+attachment/2724928/+files/pdns-hardy.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
Attached debdiff for Precise. I've tested with help of upstream, and this patch solved the problem. Please take a look and if everything is OK, I will do debdiffs for every release. Thanks. ** Patch added: debdiff vs. pdns_2.9.22-9ubuntu4 https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+attachment/2717328/+files/pdns-precise.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
The attachment debdiff vs. pdns_2.9.22-9ubuntu4 of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu- sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu- sponsors team please also unsubscribe the team from this bug report. [This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
Some more details on this fix. I've taken the patch recommended by upstream from http://doc.powerdns.com/powerdns-advisory-2012-01.html (scroll down to the end), and created a patch file in debian/patches. Seems to be a two-liner. Testing of this package was done on Precise daily build server iso downloaded from http://cdimage.ubuntu.com/ubuntu-server/daily/current/precise-server-i386.iso . -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
Thanks, I've added it to the tracker now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 918588] Re: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-0206 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/918588 Title: PowerDNS Authoritative Server can be caused to generate a traffic loop CVE-2012-0206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/918588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
